Jamf Pro - Azure AD

user-OHTrLNQCsZ
New Contributor III

Hi all

I am new to Jamf.

I am looking to start enrolling our mac fleet into Jamf Pro. (we have v 10.26).
We have AD on prem and bind Macs to a domain.

I have some questions:

Is it recommended to connect to Azure AD before or after enrolling our fleet?
Is there any downside to connecting to azure AD before enrolling the fleet?
Where does LDAP come in? (I understand version 10.27 is released this week which allows integration into Azure AD. Does this mean it will replace LDAP?

thanks

17 REPLIES 17

Cayde-6
Valued Contributor

10.27 integrates with Azure AD and works the same way as LDAP within Jamf Pro, if you are at the point of rolling our your fleet then perhaps integrating with Azure AD would be a good thing to do now rather than later.

I've just done the integration to 10.27 on my MDM and the process was straight forward, you can then look into using custom enrolment and using Azure SSO during the setup process.

user-OHTrLNQCsZ
New Contributor III

Is there any downside to enrolling the fleet first? And then hooking up to Azure AD later down the line?

Are there any other considerations at this point?

Cayde-6
Valued Contributor

So the only reason I can see is if you enabled now with custom enrolment then it will associate the Azure AD account with the device in Jamf Pro so a sort of account and auditing.

You can do this post rollout but its a manual API task instead of automated

user-OHTrLNQCsZ
New Contributor III

And whats the problem with associating the Azure AD account with the device?

Cayde-6
Valued Contributor

There wasn't a problem, it was the only positive item I could think of.

user-OHTrLNQCsZ
New Contributor III

thanks I got the wrong end of the stick there.

user-OHTrLNQCsZ
New Contributor III

Has anyone else got any thoughts on the original post?

Tribruin
Contributor III
Contributor III

Are your currently using LDAP with ADFS? With 10.27, it doesn't appear you can use both LDAP and Azure AD Cloud Identity. See this note in the Jamf Administrator guide:

02308fe76f1d4c03a1befb0f2f86143f

What is your ultimate goal with Azure AD integration? And what are you doing now with LDAP integration (if anything?) It really won't affect anything you are doing on the client computers related to binding. That will continue to function as before. What 10.27 adds is the ability to use Azure AD similar to what we can use LDAP for now in Jamf Pro (Jamf Pro Users, Scoping to AAD accounts and Groups.)

user-OHTrLNQCsZ
New Contributor III

@RBlount - We are at the beginning so at this point its a case of getting going so trying to see if enrolling devices before or after has any benefits or downsides?

We have not integrated anything yet. Out ultimate goal is to have this as hassle free as possible and replace AD on prem and get modern. We will also at some point down the line purchase Jamf connect.

About LDAP with ADFS - I'll assume you mean do we have it set up already for our Macs with Jamf? If so then no. Or do you mean do we have LDAP setup for our PCs?

thanks

amitp
New Contributor

I integrated and it works fine except for group membership. The users and groups do get populated but the group membership shows NA. Any idea on this?

michaelhusar
Contributor II

MFA Multifactor Auth could be a blocker if you use user-initiated Enrollment (as we do)
...
When Azure AD with multi-factor authentication enabled is added as the cloud identity provider, authentication workflows in Jamf Pro (e.g., Self Service and user-initiated enrollment) do not work for Azure AD user groups and accounts.
...

pramodmac
New Contributor III

@michaelhusar
we wanted to use user-initiated Enrolment, and still waiting to integrate the Azure AD from our AD team, can you please point to a good workflow for user-initiated Enrolment? I can look into the Admin guide, but I'm guessing there is something somewhere that others used and is easier, or your workflow?
thanks in advance.

michaelhusar
Contributor II

@pramodmac I do not know whether it is good, but:

  1. We only order machines with DEP/ADE

  2. We configured Enrollment customization und User initiated Enrollment with the AD/LDAP groups we want to allow Enrollment

  3. We use PreStage Enrollment with Account creation-> with Pre-fill account information with device owner’s details so we end up at the Setup Assistant with the AD-account of the enrolling enduser

  4. We followed the JNUC https://youtu.be/ep-81id3PvY Many thanks for the great video !

So the user unpacks the machine, connects to internet, authenticates and waits for the setup to be finished
Hope that helps

Btw: We do not bind anymore - we use the SSO Extension (distributed via MDM)

pramodmac
New Contributor III

@ michaelhusar, thank you for your response and assistance, I will check the video you shared, much appreciated.

dmillertds
New Contributor III

I was considering starting my own thread, but figure I'll try this one first.

I am trying to integrate AAD/ASM authentication for our Macs (running Catalina). We have on-prem Jamf Pro (running 10.28x), and a fully populated AAD tenant, as well as ASM. I have the ASM/AAD sync running successfully, creating users as desired in ASM. All our Macs are enrolled via DEP, but are NOT currently bound to any DS - just using local user accounts. What do I need to do to setup AAD authentication on the Macs themselves? @michaelhusar mentions an SSO extension - what exactly is that, and where do I lay hands on it? Or is that even what I need? Sorry, I've read quite a bit, and watched about half of that video, but it was spending a lot of time on LDAPS instead of Azure/SAML, and it seemed oriented to starting from scratch, which isn't my case. Any guidance greating appreciated!

Tribruin
Contributor III
Contributor III

@dmillertds Just to make sure I understand, you want to connect directly to Azure AD and not a local AD, correct?

If so, what are you goals for authentication? Do you just want to authenticate when the computer is enrolled? Do you want to have the user authenticate against their AAD accounts to create users? Do you want to keep their passwords sync'd between Azure AD and their local macOS account? Do you want them to authenticate against Azure AD each time they login?

If all you want to do is have the user authenticate during enrollment, you can setup SSO in Jamf Pro. For Automated Enrollments, you would need to create an Enrollment Customization (with an SSO pane.)

If you want to have your users log in to their computers with their Azure AD accounts, then you will need to purchase Jamf Connect. This will allow you to replace the existing login screen with an Azure login screen. Users can authenticate using their AAD credentials and create local users based on those AAD credentials. The Jamf Connect menu bar will also allow the users to keep their local password and AAD password in sync.

dmillertds
New Contributor III

@RBlount thanks for your reply. The answer is we want to primarily use AAD creds to log into the Macs (i.e., your last paragraph). In all the reading I had done on MacOS/AAD integration (which was quite a bit), I never caught that you couldn't actually log into the Mac itself with those credentials. So that's on me for not parsing the fine print carefully enough (I should know better, especially with Apple - don't EVER assume anything!) It's astounding to me this is still the case in 2021, that you can't use a cloud IdP for MacOS without involving a 3rd party solution! I have had NoMAD/NoMAD Login working for a couple years, with some hiccups - guess we'll have to stick with that. Thanks again for setting me straight.